Doug,
Douglas Otis wrote:
On Sun, 2006-01-22 at 18:46 +0000, Stephen Farrell wrote:
Douglas Otis wrote:
The signature header is not removed,
just the 'b=base64' is obfuscated with a result indicating whether the
MDA verified the signature upon acceptance.
I hate to do this yet again, but the term obfuscation is taken,
and not for what you mean, which confuses me at least. Quoting
[1] for example:
obfuscation - technology to shroud the context and contents of code.
Obfuscated applications function properly, yet confuse human
observers and decompilers.
Would the term signature-overlay or perhaps signature-masking be okay?
Were it me, I'd first consult the literature before inventing
any new terminology related to digital signatures. At the least,
I'd first ask someone who's familiar with that literature.
Without having checked, I can't say either of those terms ring
a bell, but using clear, unambiguous terms is a good thing and
[ab|re]using existing terms in odd ways is a bad thing.
The MDA 'w=' parameter ensures this signature will not be
accepted by any other AdmD.
Ok, so you mean something like having an MDA sign in order to
attest that the message arrived with status <foo>. Our charter
has a stretch goal for that specifically not to be done without
a recharter:
Once the primary goals are met, the DKIM working group may also study
whether to adopt a work item for specifying a common mechanism to
communicate the results of message verification to the message
recipient. The generation of a standards-track specification on this
topic will require an update to the DKIM working group charter.
What is being proposed is _not_ a new header or a fundamental change to
the DKIM signature. This proposal involves an introduction of a single
character 'w=' parameter added to the signature.
Part of the problem with this proposal is the sales-talk that
accompanies it. You clearly know that it is not significant that
"w=" rather than "malarkey=" is just a few characters shorter and
you also know that that fact is totally unworthy of mention.
The current base DKIM draft does not define how multiple signatures are
handled, how mediators are recognized, or how replay abuse can be
prevented.
IMO, none of the above necessitate assertions made on behalf of
MDAs (to use your term).
> The rather simple 'w=' parameter adds to the DKIM signature
a basis for solutions for resolving these open issues. This simple
option should not demand a recharter in order to resolve some rather
basic issues, some of which were raised in the initial review conducted
by Russ. This option is also upwardly compatible with the current
implementations.
I personally don't agree. Any DKIM-defined assertion on behalf of the
verifier of a message is complicated. Luckily, our charter says this
pretty clearly, so to the extent that replay is an issue (and my gut
tells me it is), other anti-replay mechanisms are preferable.
Regards,
Stephen.
PS: The "personally" above, means, as usual, that as co-chair, I am
of course happy to go with the consensus even if I "personally"
disagree.
_______________________________________________
ietf-dkim mailing list
http://dkim.org